On Monday at Apple’s WWDC keynote event, it was revealed that the original 2010 iPad would not be graced with an update to iOS 6. Like the iPhone and iPhone 3G before it, it has reached the end of life.
So it goes.
But there’s an issue here, and it’s one that we’re only beginning to stumble into in this “post-PC” era. Security. What happens when laptop replacements can’t enjoy security updates for as long as their predecessors did?
Laptops and desktop PCs have a long lifespan. They’re an expensive investment of several hundred to several thousand pounds. But mobiles have a much shorter lifespan: they (sometimes) cost less, and the upgrade cycle of network contracts encourages rapid obsolescence.
But what happens when the replacement for one – and for many casual internet users, the iPad has become this – uses the operating system of the other? That’s something we’re only just about to find out.
“Tablets are fascinating because I think they’re existing in a world of 18 month windows,” says Kevin Mahaffey, founder and chief technology officer at Lookout Mobile Security, which provides security software for both iPhone and Android smartphones.
“But they’re replacing devices of substantially longer windows…and of course Apple is incentivised to make that as short as possible so you can buy a new one.”
Let’s set aside the issue of how long a device should get new features for. For the purposes of this article, that’s moot. Let’s talk about security. That two year upgrade window for the iPad is in stark contrast to Apple’s approach on desktop Macs. iMacs and MacBook laptops from 2007 onwards, Mac Pros from 2008 and Mac Minis from early 2009 onwards will all run OS X Mountain Lion, the latest version of Apple’s desktop OS, which is due out next month, and receive the security fixes that inevitably come with a major new operating system release.
It’s in even more vivid contrast to Microsoft’s legacy support. Windows XP, which launched all the way back in 2001, will receive security updates until the 8th of April 2014.
In other words, we’re moving from using devices with more than twelve years of security support, to ones with an expected life cycle closer to two.
We asked Apple about its plans in case any glaring security issues arise from now on with the first generation iPad. At the time of writing, the company had yet to comment.
Rik Ferguson, director of security research and communications at internet security firm Trend Micro, says that this clash of paradigms is going to be a major issue in this new age – one Steve Jobs himself defined as the “Post-PC” era.
“Innovation and competition among hardware vendors is far more rapid-paced than the traditional software environments, the periods between significant new operating systems is far greater than handset, tablet of even PC hardware upgrades. In the post PC world, operating systems need to be overhauled to take advantage of these new hardware innovations with the same rapidity, it’s no longer a case of just installing a new device driver.”
Apple’s “walled” garden approach (Apps can only be installed from the company’s own app stores, and these are vetted before being put on sale) does mean iOS is relatively secure. Certainly, you don’t see very many of the premium SMS scams that you do on Android (Apps with links to what looks like the Google Play store, but trick you into signing up for SMS alerts that cost you money) – something that Mahaffey says is the major problem affecting Android users today.
But a serious security issue on an old, but still extremely popular iOS device, is far from theoretical.
“Vulnerabilities affecting Apple’s iOS are nothing new, there have been a steady stream of them patched, since the operating system was born,” says Ferguson.
“Some of these vulnerabilities have been serious enough that they would allow remote execution of unsigned code on Apple devices. In layman’s terms that means that an attacker could run a program of their choice, remotely on your iPad – that’s not good.”
An example: iOS 4 was famously jailbroken just two months after release through an exploit in the way PDF files were rendered. Users could simply jailbreak their iPhone, iPod touch or iPad just by visiting a website.
There’s no reason somebody couldn’t exploit iOS in the future in the same way, if another flaw in the code is found – for malicious ends. All it takes is someone interested in targeting the demographic using a device susceptible to the exploit.
And there are a lot of people using first generation iPads. iPad sales for the first three quarters after the first model went on sale, but before the iPad 2 debuted, totalled 14.79 million. The first iPad remained on sale for several months after the iPad 2 hit shelves. We don’t know how many of those people have upgraded to a newer iPad since then, but at £399 a pop, it’s unlikely to be close to all of them.
“If Apple ending support of the original iPad means that future updates to the operating system will not be compatible with older devices then clearly that presents a security risk,” says Ferguson.
Of course, there is an elephant in the room. Quite a few in fact: Android tablets. If this is a potential problem for iPad users and Apple, it’s even more of an issue for Google. Android is open-source, and often heavily modified by manufacturers: Google itself is only responsible for updating a handful of devices. And there are a lot of abandoned Android tablets out there already.
“At least with Apple there’s only one company that controls it,” says Mahaffey.
But as we’ve reported before, Apple owns the tablet market: it owns the sales, and it owns the mindshare. This is going to be an issue for Apple first, and with the iPad going to the graveyard, it starts now.
